set statusnote if all detail fields are empty

Author: irenaliu18

internal/testing/testdata/testdata.go

@@ -126,6 +126,12 @@ var (
 	//go:embed exampledata/cyclonedx-vex-false-positive.json
 	CycloneDXVEXFalsePositive []byte
 
+	//go:embed exampledata/cyclonedx-vex-resolved-with-pedigree-no-detail.json
+	CycloneDXVEXResolvedWithPedigreeNoDetail []byte
+
+	//go:embed exampledata/cyclonedx-vex-false-positive-no-detail.json
+	CycloneDXVEXFalsePositiveNoDetail []byte
+
 	//go:embed exampledata/cyclonedx-vex.xml
 	CyloneDXVEXExampleXML []byte
 

pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go

@@ -579,6 +579,8 @@ func (c *cyclonedxParser) getVulnerabilities(ctx context.Context) error {
 			vd.KnownSince = publishedTime
 			vd.Statement = vulnerability.Description
 
+			// Extract StatusNotes from analysis detail field.
+			// This applies to all analysis states including resolved_with_pedigree and false_positive.
 			if vulnerability.Analysis.Detail != "" {
 				vd.StatusNotes = vulnerability.Analysis.Detail
 			} else if vulnerability.Analysis.Response != nil {
@@ -587,8 +589,12 @@ func (c *cyclonedxParser) getVulnerabilities(ctx context.Context) error {
 					response = append(response, string(res))
 				}
 				vd.StatusNotes = strings.Join(response, ",")
-			} else {
+			} else if vulnerability.Detail != "" {
 				vd.StatusNotes = vulnerability.Detail
+			} else {
+				// If all detail fields are empty, preserve the CDX state enum information
+				// to avoid losing this metadata (e.g., "CDX state: resolved_with_pedigree")
+				vd.StatusNotes = fmt.Sprintf("CDX state: %s", string(vulnerability.Analysis.State))
 			}
 		} else {
 			vd = model.VexStatementInputSpec{